AICPA Issues Description Criteria Standards for SOC 2 Reports

The AICPA has released new description criteria standards for SOC 2 reports. The AICPA Assurance Services Executive Committee’s SOC 2® Working Group has developed a set of description criteria benchmarks for use in preparing and evaluating the description of a service organization’s system in a SOC 2 examination, an examination of its controls over security, availability, processing integrity, confidentiality, and privacy.

The new professional standards are in two parts:

Description Criteria (DC) Section 200, Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report; and

DC Section 200A, 2015 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report.

DC Section 200: the 2018 Description Criteria

DC Section 200 presents description criteria for use in a SOC 2 examination but does not address trust services criteria. It also includes implementation guidance that discusses factors to consider when making judgments about the nature and extent of disclosures called for by each criterion. The standard also notes that users are to apply the description criteria using professional judgment to consider the facts and circumstances of the service organization and its environment.

DC Section 200 provides guidance as follows:

The availability and suitability of the description criteria, including its relevance, objectivity, measurability and completeness;

Preparing and evaluating the presentation of the description of the service organization’s system in accordance with the description criteria;

Materiality considerations when preparing and evaluating whether the description is presented in accordance with the description criteria; and

Description criteria and implementation guidance in columnar format.

The guidance in DC Section 200 should be used in conjunction with the 2017 trust services criteria set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy in a SOC 2® report.

DC Section 200A: the 2015 Description Criteria

DC Section 200A, the 2015 description criteria, reproduce paragraphs 1.26–.27 of the 2015 edition of AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®). The AICPA intends for DC Section 200A to be used in conjunction with the 2016 trust services criteria of TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2016) (AICPA, Trust Services Principles), in a SOC 2® report.

To determine which description criteria section should be used, DC Section 200A notes that the “2015 description criteria may be used when preparing a description of the service organization’s system as of December 15, 2018, or prior to that date (type 1 examination) or a description for periods ending as of December 15, 2018, or prior to that date (type 2 examination).” For “a description of the service organization’s system as of or after December 16, 2018, (type 1 examination) or a description of the system for periods ending as of or after that date (type 2 examination), the 2018 description criteria should be used.”

During the transition period between the two standards, DC Section 200A provides that management should identify in the description which of the 2018 or 2015 description criteria it used.